Threat Insights: The Future of Smart and Automated Threats

Threat report data is only as useful as the analysis and context that goes along with it. We asked Derek Manky, global security strategist with our FortiGuard Labs team, to share his thoughts on what some of the data in our recent Threat Landscape Report means going forward.

What at a high level did you find interesting in the report? What did the data tell you from your global point of view?

A few things stood out to me based on my years of working with the FortiGuard Labs team. At a high level, visibility and control over today’s expanded infrastructure are diminishing as the number of potential attack vectors across the expanded network landscape continues to grow. The rush to adopt cloud services, the growth of IoT, and the variety and volume of smart devices connecting to the network, have stretched security professionals past their limits. This essentially means there are more and more exposed attack vectors.

Something else interesting that we found is that the cyber problem today is really a global problem. In fact, we found less differences than in the past in different regions and many industries have similar attack vectors.

You had some valuable perspective a few weeks ago right after WannaCry about take-aways from big global threats. Given the report findings, can you make any connections from what you are seeing at a high level and our data?

While the more high profile attacks have dominated the headlines, the reality is that the majority of threats faced by most organizations are opportunistic in nature fueled by modern automated attack tools that enable adversaries to operate on a global scale at light speed.

What this means is that there is a growing and urgent need to mitigate against pervasive “Cybercrime as a Service” attacks with automation to correlate intelligence and synchronize response at speed and scale. This is something I mentioned in my 2017 Cybersecurity Predictions. You have to fight automation with automation.

Can you elaborate a bit more on what you think this could mean for attacks in the future?

Studying malware can help provide views into the preparation and intrusion stages of these attacks. Although protecting against mobile malware is particularly challenging because devices are not shielded on the internal network, are frequently joining public networks, and often are not under corporate ownership or control.

Threats are getting smarter and are increasingly able to operate autonomously. I expect to see more malware designed with adaptive, success-based learning to improve the success and efficacy of attacks. This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and make calculated decisions about what to do next. In many ways, it will begin to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, and intelligently evading detection.

This next generation of malware uses code that is a precursor to artificial intelligence, that replaces traditional ‘if not this, then that’ code logic with more complex decision-making trees. Autonomous malware operates much like branch prediction technology, which is designed to guess which branch of a decision tree a transaction will take before it is executed. A branch predictor keeps track of whether or not a branch is taken, so when it encounters a conditional jump that it has seen before it makes a prediction so that over time the software becomes more efficient.

Autonomous malware, as with intelligent defensive solutions, are guided by the collection and analysis of offensive intelligence, such as types of devices deployed in a network segment, traffic flow, applications being used, transaction details, time of day transactions occur, etc. The longer a threat can persist inside a host that better it will be able to operate independently, blend into its environment, select tools based on the platform it is targeting, and eventually, take countermeasures based on security tools in place.

If you look at what has happened with IoT devices last year and you combine that with your discussion around automation, what could this mean for the threat landscape?

Many things but for starters, we will also see the growth of cross-platform autonomous malware designed to operate on and between a variety of mobile devices. These cross-platform tools, or “transformers,” include a variety of exploit and payload tools that can operate across different environments. This variant of autonomous malware includes a learning component that gathers offensive intelligence about where it has been deployed, including the platform on which it has been loaded, then selects, assembles, and executes an attack against its target using the appropriate payload.

Transformer malware is being used to target cross-platform applications with the goal of infecting and spreading across multiple platforms, thereby expanding the threat surface and making detection and resolution more difficult. Once a vulnerable target has been identified, these tools can also cause code failure and then exploit that vulnerability to inject code, collect data, and persist undetected.

The take-away is that autonomous malware, including transformers, that are designed to proactively spread between platforms can have a devastating effect on our increasing reliance on connected devices to automate and perform everyday tasks. It will require highly integrated and intelligent security technologies that can see across platforms, correlate threat intelligence, and automatically synchronize a coordinated response.

I look forward to commenting in more detail soon when I take a look at our 2017 Cybersecurity Predictions mid-year.